RFR: 8264849: Add KW and KWP support to PKCS11 provider

Anthony Scarpino ascarpino at openjdk.java.net
Thu Sep 30 18:44:28 UTC 2021

On Fri, 17 Sep 2021 23:22:21 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

> Anyone has time to review this RFE for adding AES cipher with KW, KWP modes support to SunPKCS11 provider?
> The main changes are in only one new class, i.e. P11KeyWrapCipher.java, which is the CipherSpi impl for the native PKCS11 key wrap mechanisms. When testing against NSS library, it seems that they only support the single part enc/dec PKCS11 APIs, so have to use a new class as existing P11Cipher class relies on the multi part enc/dec PKCS11 APIs and do not support key wrapping/unwrapping.
> The rest are minor code refactoring and updates for the PKCS11 Exception class.
> The new regression tests are adapted from existing key wrap regression tests for SunJCE provider.
> Thanks,
> Valerie

>From a high level, why does P11KeyWrapCipher support ENCRYPT and DECRYPT modes?  I expected to only see UNWRAP and WRAP mode supported.  Along those same lines I expected to only see C_WrapKey and C_UnwrapKey, and not encryption/decryption pkcs11 calls.  Is there some additional support here that I'm not seeing?


PR: https://git.openjdk.java.net/jdk/pull/5569

More information about the security-dev mailing list